Commit 1513ea4a authored by Julian Rother's avatar Julian Rother

Introduced path sanitizing

parent 1af75a44
......@@ -75,9 +75,9 @@ int main(int argc, char *argv[])
jobid = atoi(argv[1]);
if (!strcmp(argv[2], "probe-raw"))
path = mprintf("%s/%s", getenv(WORKER_RAW), jstr(jlookup(argv[4], "path"), ""));
path = buildpath(getenv(WORKER_RAW), jstr(jlookup(argv[4], "path"), 0));
else
path = mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), ""));
path = buildpath(getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), 0));
ping_job(jobid, "running", 0);
opts = 0;
......
......@@ -13,8 +13,8 @@ int main(int argc, char *argv[])
init_env();
init_avlogbuf();
jobid = atoi(argv[1]);
src = mprintf("%s/%s", getenv(WORKER_TMP), jstr(jlookup(argv[4], "source"), ""));
dest = mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), ""));
src = buildpath(getenv(WORKER_TMP), jstr(jlookup(argv[4], "source"), 0));
dest = buildpath(getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), 0));
destdir = dirname(mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), "")));
ping_job(jobid, "running", 0);
overwrite_check(dest, 0, 0);
......
......@@ -21,8 +21,8 @@ int main(int argc, char *argv[])
av_init_packet(&pkt);
jobid = atoi(argv[1]);
path = mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), ""));
srcpath = mprintf("%s/%s", getenv(WORKER_RAW), jstr(jlookup(argv[4], "srcpath"), ""));
path = buildpath(getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), 0));
srcpath = buildpath(getenv(WORKER_RAW), jstr(jlookup(argv[4], "srcpath"), 0));
tmp = mprintf("%s/.tmp-%i", getenv(WORKER_TMP), jobid);
overwrite_check(path, srcpath, jstr(jlookup(argv[4], "srchash"), ""));
ping_job(jobid, "running", 0);
......
......@@ -37,7 +37,7 @@ int main(int argc, char *argv[])
/* Prepare arguments */
jobid = atoi(argv[1]);
src = mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), ""));
src = buildpath(getenv(WORKER_RELEASED), jstr(jlookup(argv[4], "path"), 0));
tmp = mprintf("%s/.tmp-%i", getenv(WORKER_TMP), jobid);
dest = mprintf("%s/thumbnail/l_%s.jpg", getenv(WORKER_RELEASED),
jstr(jlookup(argv[4], "lectureid"), "0"));
......
......@@ -270,9 +270,9 @@ int main(int argc, char *argv[])
jobid = atoi(argv[1]);
input = jlookup(argv[4], "input");
inpath = mprintf("%s/%s", getenv(WORKER_RAW), jstr(jlookup(input, "path"), ""));
inpath = buildpath(getenv(WORKER_RAW), jstr(jlookup(input, "path"), 0));
output = jlookup(argv[4], "output");
outpath = mprintf("%s/%s", getenv(WORKER_RELEASED), jstr(jlookup(output, "path"), ""));
outpath = buildpath(getenv(WORKER_RELEASED), jstr(jlookup(output, "path"), 0));
tmppath = mprintf("%s/.tmp-%i", getenv(WORKER_TMP), jobid);
overwrite_check(outpath, inpath, jstr(jlookup(input, "hash"), ""));
......
......@@ -18,6 +18,7 @@ size_t filesize(char *path);
char *json_fileinfo(char *path);
void overwrite_check(char *path, char *srcpath, char *srchash);
int checktime(time_t min);
char *buildpath(char *root, char *path);
#define WORKER_APIKEY "WORKER_APIKEY"
#define WORKER_APIBASE "WORKER_APIBASE"
......
#include <stdlib.h>
#include "../util.h"
char *buildpath(char *root, char *path)
{
char *tmp;
if (!path)
job_failed("Cannot build path: Value is empty");
if (!(root = realpath(root, 0)))
exit(99);
tmp = mprintf("%s/%s", root, path);
if (!(path = realpath(tmp, 0)))
exit(99);
free(tmp);
if (strncmp(root, path, strlen(root)))
job_failed("Cannot build path: Path points out of root directory");
free(root);
return path;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment